This article will provide you with guidance on how to configure the Azure Key Vault networking settings to work with other applications and Azure services. To learn about different network security configurations in detail, read here.
Here's step-by-step instructions to configure Key Vault firewall and virtual networks by using the Azure portal, Azure CLI and Azure PowerShell
- Browse to the key vault you want to secure.
- Select Networking, and then select the Firewalls and virtual networks tab.
- Under Allow access from, select Selected networks.
- To add existing virtual networks to firewalls and virtual network rules, select + Add existing virtual networks.
- In the new blade that opens, select the subscription, virtual networks, and subnets that you want to allow access to this key vault. If the virtual networks and subnets you select don't have service endpoints enabled, confirm that you want to enable service endpoints, and select Enable. It might take up to 15 minutes to take effect.
- Under IP Networks, add IPv4 address ranges by typing IPv4 address ranges in CIDR (Classless Inter-domain Routing) notation or individual IP addresses.
- If you want to allow Microsoft Trusted Services to bypass the Key Vault Firewall, select 'Yes'. For a full list of the current Key Vault Trusted Services please see the following link. Azure Key Vault Trusted Services
- Select Save.
You can also add new virtual networks and subnets, and then enable service endpoints for the newly created virtual networks and subnets, by selecting + Add new virtual network. Then follow the prompts.
Here's how to configure Key Vault firewalls and virtual networks by using the Azure CLI
Install Azure CLI and sign in.
List available virtual network rules. If you haven't set any rules for this key vault, the list will be empty.
az keyvault network-rule list --resource-group myresourcegroup --name mykeyvault
Enable a service endpoint for Key Vault on an existing virtual network and subnet.
az network vnet subnet update --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --service-endpoints "Microsoft.KeyVault"
Add a network rule for a virtual network and subnet.
subnetid=$(az network vnet subnet show --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --query id --output tsv)
az keyvault network-rule add --resource-group "demo9311" --name "demo9311premium" --subnet $subnetid
Add an IP address range from which to allow traffic.
az keyvault network-rule add --resource-group "myresourcegroup" --name "mykeyvault" --ip-address "191.10.18.0/24"
If this key vault should be accessible by any trusted services, set bypass
to AzureServices
.
az keyvault update --resource-group "myresourcegroup" --name "mykeyvault" --bypass AzureServices
Turn the network rules on by setting the default action to Deny
.
az keyvault update --resource-group "myresourcegroup" --name "mekeyvault" --default-action Deny
Here's how to configure Key Vault firewalls and virtual networks by using PowerShell:
Install the latest Azure PowerShell, and sign in.
List available virtual network rules. If you have not set any rules for this key vault, the list will be empty.
(Get-AzKeyVault -VaultName "mykeyvault").NetworkAcls
Enable service endpoint for Key Vault on an existing virtual network and subnet.
Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Set-AzVirtualNetworkSubnetConfig -Name "mysubnet" -AddressPrefix "10.1.1.0/24" -ServiceEndpoint "Microsoft.KeyVault" | Set-AzVirtualNetwork
Add a network rule for a virtual network and subnet.
$subnet = Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Get-AzVirtualNetworkSubnetConfig -Name "mysubnet"
Add-AzKeyVaultNetworkRule -VaultName "mykeyvault" -VirtualNetworkResourceId $subnet.Id
Add an IP address range from which to allow traffic.
Add-AzKeyVaultNetworkRule -VaultName "mykeyvault" -IpAddressRange "16.17.18.0/24"
If this key vault should be accessible by any trusted services, set bypass
to AzureServices
.
Update-AzKeyVaultNetworkRuleSet -VaultName "mykeyvault" -Bypass AzureServices
Turn the network rules on by setting the default action to Deny
.
Update-AzKeyVaultNetworkRuleSet -VaultName "mykeyvault" -DefaultAction Deny
References
Next steps